Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
David Chadwick
Main Page: David Chadwick (Liberal Democrat - Brecon, Radnor and Cwm Tawe)Department Debates - View all David Chadwick's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)
David Chadwick ExcerptsTuesday 3rd February 2026
(1 day, 18 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Dr Spencer
Q
Stuart Okin: We have a clear understanding of the responsibilities within Ofgem. We are the joint competent authority with the Department for Energy Security and Net Zero. The Department does the designation and instant handling, and we do all the rest of the operations, including monitoring, enforcement and inspections. We understand our remit with NCSC. GCHQ is part of the cyber-security incident response team; it is ultimately responsible there.
Going back to your main concern, we are part of an ecosystem. We have to understand where our lines are drawn, where NCSC’s responsibilities are and what the jobs are. To go back to us specifically, we can talk about engineering aspects, electrical engineering, gas engineering and the cyber elements that affect that, including technology resilience—not cyber. As long as we have clear gateways and communication between each other—and I think that the Bill provides those gateways—that will also assist, but there are clear lines of responsibilities.
Natalie Black: It is clear that there is work to do to get in the same place for the Bill. Exactly as Stuart said, the information gateways will make a massive difference. It is too hard, at the moment, to share information between us and with the National Cyber Security Centre. The fact that companies will have to report within 24 hours not only to us but to the NCSC is very welcome.
To return to my earlier point, we think that there is a bit of work for DSIT to do to help to co-ordinate this quite complicated landscape, and I think that industry would really welcome that.
Ian Hulme: I agree with colleagues. From an ICO perspective, we see our responsibilities as a NIS competent authority as complementary to our role as a data protection regulator. If you want secure data, you have to have secure and resilient networks, which are obviously used to process data. We see it as a complementary set of regulations to our function as a data protection regulator.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
Q
It strikes me that, if one of the things that this legislation is to guard against is pre-positioning, and there are 14 parallel reporting systems in place, it could be the case that those pre-positioning attacks are not picked up as co-ordinated attacks from another nation state or organisation, because they are not pulled together in time.
Natalie Black: I point to my earlier remarks about information sharing. You are right: that is one of the great benefits of the Bill. To be able to do more, particularly when it comes to pre-positioning attacks, is really important. You will have heard from the NCSC, among others, that that is certainly a threat that we are seeing more and more of.
At the moment, it is too difficult to share information between us. The requirement to have an annual report to the NCSC is a good mechanism for consolidating what we are all seeing, and then for the NCSC to play the role of drawing conclusions. It is worth emphasising that Ofcom is not an operational organisation; we are a regulator. We look to the NCSC to provide threat leadership for what is going on across the piece. I think that that answers your question about where it all comes together.
Stuart Okin: I fully support that. The NSCS will be the hub for that type of threat intel and communications, in terms of risks such as pre-positioning and other areas. The gateways will help us to communicate.
Ian Hulme: Bringing it back to the practicalities of instant reporting, you said that there are potentially 14 lines of incident reporting because there are 14 competent authorities. How that can be consolidated is something to be explored. Put yourself in a position of an organisation that is having to make a report: there needs to be clarity on where it has to make it to and what it needs to report.
David Chadwick
Q
Ian Hulme: As we have already explained, the current regs do not allow us to share the information, which is a bit of a barrier for us. In the future, certainly, we will be working together to try to figure it out. I think that there is also a role for DSIT in that.
Natalie Black: First, we currently have a real problem in that information sharing is much harder than it should be. The Bill makes a big difference in addressing that point, not only among ourselves but with DSIT and NCSC. Secondly, we think that there is an opportunity to improve information reporting, particularly incident reporting, and we would welcome working with DSIT and others—I have mentioned the Digital Regulation Cooperation Forum—to help us find a way to make it easier for industry, because the pace at which we need to move means that we want to ensure that there is no unnecessary rub in the system.
Emily Darlington (Milton Keynes Central) (Lab)
Q
Ian Hulme: We need to think about this as essentially two different regimes. The requirements under data protection legislation to report a data breach are well established, and we have teams, systems and processes that manage all that. There are some notable cases that have been in the public domain in recent months where we have levied fines against organisations for data breaches.
The first thing to realise is that we are still talking about only quite a small sub-sector—digital service providers, including cloud computing service providers, online marketplaces, search engines and, when they are eventually brought into scope, MSPs. A lot of MSPs will provide services for a lot of data controllers so, as I explained, if you have the resilience and security of information networks, that should help to make data more secure in the future.
Dr Spencer
Q
Secondly, on ransomware attacks, you will know that the Government review states that ransomware is
“the greatest of all serious and organised cybercrime threats”.
In your view, what is the scale of that threat and what sectors and businesses are the primary targets?
DCS Andrew Gould: To take the actors first, they are probably quite well known, in terms of the general groupings. Yes, we have our state actors—the traditional adversaries that we regularly talk about—and they generally offer very much a higher-end capability, as you will all be aware.
The next biggest threat group is organised crime groups. You see a real diversity of capability within that. You will see some that are highly capable, often from foreign jurisdictions—Russian jurisdictions or Russian-speaking. The malware developers are often the more sophisticated as service-type offerings. We see more and more ransomware and other crime types almost operating as franchises—“Here is the capability, off you go, give us a cut.” Then they have less control over how those capabilities are used, so we are seeing a real diversification of the threat, particularly when it comes to ransomware.
Then, where you have that proximity to state-directed, if not quite state-controlled—that crossover between some of those high-end crime groups and the state; I am thinking primarily of Russia—it is a lot harder to attribute the intent behind an attack. There is a blurring of who was it and for what purpose was it done, and there is that element of deniability because it is that one further step away.
Moving back down the levels of the organised crime groups, you have a real profusion of less capable actors within that space, from all around the world, driving huge volumes, often using quite sophisticated tools but not really understanding how they work.
What we have seen is almost like a fragmentation in the criminal marketplace. The barrier to criminal entry is probably lower than it has ever been. You can download these capabilities quite readily—you can watch a tutorial on YouTube or anywhere else on how to use them, and off you go, even if you do not necessarily understand the impact. We certainly saw a real shift post pandemic from traditional criminals and crime groups into more online crime, because it was easier and less risky.
You look more broadly at hacktivists, terrorists—who are probably a lot less capable; they might have the intent but not so much the capability—and then the group that are sometimes slightly patronisingly described as script kiddies. These are young individuals with a real interest in developing their skills. They have an understanding that what they are doing is wrong, but they are probably not financially or criminally motivated. If they were not engaging in that kind of cyber-crime, they probably would not be engaging in other forms of criminality, but they can still do a lot of damage with the tools they can get their hands on, given that so many organisations seem to struggle to deliver even a basic level of cyber-resilience and cyber-security.
One of the things that we really noticed changing over the last 18 months is the diversification of UK threats. Your traditional UK cyber-criminal, if there is such a thing, is primarily focused on hacking for personal benefit, ransomware and other activity. Now we are seeing a diversification, and more of a hybrid, cross-organised crime threat. There are often two factors to that. We often hear it described in the media or by us within law enforcement publicly as the common threat—this emerging community online—otherwise known as Scattered Spider.
There, we are seeing two elements to those sorts of groups. You see an element of maybe more traditional cyber-skills engaged in hacking or using those skills for fraud, but we also see those skills being used for Computer Misuse Act offences, in order to enable other offences. One of the big areas for that at the moment that we see is around intimate image abuse. We see more and more UK-based criminals hacking individuals’ devices to access, they hope, intimate images. They then identify the subject of those intimate images, most predominantly women, and then engage in acts of extortion, bullying or harassment. We have seen some instances of real-world contact away from that online contact.
Think of the scale of that and the challenge that presents to policing. I can think of cases in cyber-crime unit investigations across the country where you have got a handful of individuals who have victimised thousands of women in the UK and abroad. You have got these small cyber-crime units of a handful of people trying to manage 4,000 or 10,000 victims.
It is very difficult and very challenging, but the flipside of that is that, if they are UK-based, we have a much better chance of getting hold of them, so we are seeing a lot more arrests for those cross-hybrid threats, which is a positive. There is definitely an emerging cohort that then starts to blend in with threats like Southport and violence-fixated individuals. There seems to be a real mishmash of online threat coming together and then separating apart in a way that we have never seen historically. That is a real change in the UK threat that is driving a lot of policing activity.
Turning to your ransomware question, what is interesting, in terms of the kinds of organisations that are impacted by ransomware, a lot of the ransomware actors do not want to come to notice for hitting critical national infrastructure. They do not want to do the cloning of pipelines. They do not want to be taking out hospitals and the NHS. They know they will not get paid if they hit UK critical national infrastructure, for starters, so there is a disincentive, but they also do not want that level of Government or law enforcement attention.
Think of the disruptive effect that the UK NCA and policing had on LockBit the year before last. LockBit went from being the No. 1 ransomware strain globally to being out of the top 10 and struggling to come back. We saw a real fragmentation of the ransomware market post that. There is no dominant strain or group within that that has emerged to cover that. A lot of those groups that are coming into that space may be a bit less skilled, sophisticated and successful.
The overall threat to organisations is pretty much the same. The volume is the volume, but it is probably less CNI and more smaller organisations because they are more vulnerable and it is less likely to play out very publicly than if there is a big impact on the economy or critical national infrastructure. As such, there is probably not the level of impact in the areas that people would expect, notwithstanding some of the really high-profile incidents we had last year.
David Chadwick
Q
DCS Andrew Gould: That is a really good question. The international jurisdiction challenge for us is huge. We know that is where most of the volumes are driven from, and obviously we do not have the powers to just go over and get hold of the people we would necessarily want to. You will not be surprised to hear that it really varies between jurisdictions. Some are a lot more keen to address some of the threats emanating from their countries than others. More countries are starting to treat this as more of a priority, but it can take years to investigate an organised crime group or a network, and it takes them seconds to commit the crime. It is a huge challenge.
There are two things that we could do more of better—these are things that are in train already. If you think about the wealth of cyber-crime, online fraud and so on, all the data, and a lot of the skills and expertise to tackle that sit within the private sector, whereas in law enforcement, we have the law enforcement powers to take action to address some of it.
With a recent pilot in the City funded by the Home Office, we have started to move beyond our traditional private sector partnerships. We are working with key existing partners—blockchain analytic companies or open-source intelligence companies—and we are effectively in an openly commercial relationship; we are paying them to undertake operational activity on our behalf. We are saying, “Company a, b or c, we want you to identify UK-based cyber-criminals, online fraudsters, money-laundering and opportunities for crypto-seizure under the Proceeds of Crime Act 2002”. They have the global datasets and the bigger picture; we have only a small piece of the puzzle. By working with them jointly on operations, they might bring a number of targets for us, and we can then develop that into operational activity using some of the other tools and techniques that we have.
It is quite early days with that pilot, but the first investigation we did down in the south-east resulted in a seizure of about £40 million-worth of cryptocurrency. That is off a commercial contract that cost us a couple of hundred grand. There is potential for return on investment and impact as we scale it up. It is a capability that you can point at any area of online threat, not just cyber-crime and fraud, so there are some huge opportunities for it to really start to impact at scale.
One of the other things we do in a much more automated and technical way—again funded by the Home Office—is the replacement of the Action Fraud system with the new Report Fraud system. That will, over the next year or so, start to ingest a lot of private sector datasets from financial institutions, open-source intelligence companies and the like, so we will have a much broader understanding of all those threats and we will also be able to engage in takedowns and disruptions in an automated way at scale, working with a lot of the communication service providers, banks and others.
Instead of the traditional manual way we have always been doing a lot of that protection, we can, through partnerships, start doing it in a much more automated and effective way at scale. Over time, we will be able to design out and remove a lot of the volume you see impacting the UK public now. That is certainly the plan.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
Q
DCS Andrew Gould: I love the fact that you have heard of it. One of the things that we struggle with is promoting a lot of these initiatives. Successive Governments actually deserve a lot of credit for the range of services that are provided. We aspire to be a global cyber-power, and in many ways we are. When you look at the range of services, tools, advice and guidance that organisations or the public can get, there is quite a positive story to tell there. I think we struggle to bring that into one single narrative and promote it, which is a real challenge. People just do not know that those services are there.
For those who are not familiar with Police CyberAlarm, it is a Home Office-funded policing tool focused on small and medium-sized organisations that probably do not have the skills or understanding to protect themselves as effectively. They can download that piece of software, and it will sit on their external networks and monitor for attacks. For the first time, it helps us in policing to build a domestic threat picture for small and medium-sized organisations, because everybody has a different piece of the puzzle. GCHQ has great insight into what is coming into the UK infrastructure, but it obviously cannot monitor domestically. Big organisations that provide cyber-security services and monitoring know what is impacting their clients or their organisation, but not everybody else. At policing, we get what is reported, which is a tiny piece of the puzzle. So everyone has a different bit of the jigsaw, and none of it fits together, and, even if it did, there would still be gaps. For SMEs, that is a particular gap.
For us, we get the threat intelligence to drive our operational activity, which has been quite successful for us. The benefit for member organisations—we are up to about 12,000 organisations at the moment, which are mostly schools, because we know that they are the most vulnerable to attack for a variety of reasons—is that, having the free tool available, it can do the monthly vulnerability scans and assessments. So they are getting a report from the police that tells them what they need to fix and what they need to patch.
We do not publicly offer a lifetime monitoring service, because we would not want the liability and responsibility, and we do not have the infrastructure to run that scale of security operation centre. But, in effect, that is actually what we have been doing for a long time—maybe not 24/7, but most of the time—because we have been able to identify precursor activity to ransomware attacks on schools or other organisations, and have been able to step in and prevent it from happening. There have been instances where officers have literally got in cars and gone on a blue light to organisations to say, “You need to shut some stuff off now, because you are about to lose control of your whole organisation.”
To that extent, it has been really impactful, but the challenge for us is how to scale. How do you scale so that people understand that it is there? How do you make it easier for organisations to install? That is one of the things that we are working on at the moment, so that everybody can benefit from the scans and the threat reporting, and we can benefit from a bigger understanding of what is going on.
The flip side of the SME offer from our point of view is our cyber-resilience centres. By working with some of the top student talent in the country, we can scale to offer our member organisations across the country the latest advice and guidance, help them understand what the NCSC advice and guidance is, and then help them to get the right level of security policies, patch their systems and all that kind of thing. It helps them to take the first steps on their cyber-resilience journey, and hopefully be more mature consumers of cyber-security industry services going forward. We are helping to create a market for growth, but also helping those organisations to understand their specific vulnerabilities and improve from a very base level.
Dr Spencer
Q
Richard Starnes: Yes. We have FS-ISAC operating in the United Kingdom and in Europe, with all the major banks, but if you took this and replicated it on an industry-by-industry basis, particularly ones in CNI, that would be helpful. It would also help with information sharing with entities like NCSC and GCHQ.
David Chadwick
Q
Richard Starnes: On what you say about the 18-month tenure, one of the problems is stress. A lot of CISOs are burning out and moving to companies that they consider to have boards that are more receptive to what they do for a living. Some companies get it. Some companies support the CISOs, and maybe have them reporting to a parallel to the CIO, or chief information officer. A big discussion among CISOs is that having a CISO reporting to a CIO is a conflict of interest. A CISO is essentially a governance position, so you wind up having to govern your boss, which I would submit is a bit of a challenge.
How do we help CISOs? First, with stringent application of regulatory instruments. We should also look at or discuss the idea of having C-level or board-level executives specifically liable for not doing proper risk governance of cyber-security—that is something that I think needs to be discussed. Section 172 of the Companies Act 2006 states that you must act in the best interests of your company. In this day and age, I would submit that not addressing cyber-risk is a direct attack on your bottom line.
Dr Gardner
Q
Richard Starnes: I think this should flow from the board to the C-level executives. Most boards have a risk committee of some sort, and I think the chair of the risk committee would be a natural place for that responsibility to sit, but there has to be somebody who is ultimately responsible. If the board does not take it seriously, the C-levels will not, and if the C-levels will not, the rest of the company will not.
Emily Darlington
Q
Richard Starnes: You just stepped on one of my soapbox issues. I would like to see the code of practice become part of the annual Companies House registrations for every registered company. To me, this is an attestation that, “We understand cyber-security, we’ve had it put in front of us, and we have to address it in some way.”
One of the biggest problems, which Andy talked about earlier, is that we have all these wonderful things that the Government are doing with regard to cyber-security, down to the micro-level companies, but there are 5.5 million companies in the United Kingdom that are not enterprise-level companies, and the vast majority of them have 25 employees or fewer. How do we get to these people and say, “This is important. You need to look at this”? This is a societal issue. The code of practice and having it registered through Companies House are the way to do that. We need to start small and move big. Only 3% of businesses are involved in Cyber Essentials, which is just that: the essentials. It is the baseline, so we need to start there.
David Chadwick
Q
Richard Starnes: Throughout my career, I have been involved in cyber incidents from just about day one. One of the biggest problems that you run into in the first 72 hours, for example, is actually determining whether you have been breached. Just because it looks bad does not mean it is bad. More times than not, you have had indicators of compromise, and you have gone through the entire chain, which has taken you a day, or maybe two or three days, of very diligent work with very clever people to determine that, no, you have not been breached; it was a false positive that was difficult to track down. Do you want to open the door to a regulator coming in and then finding out it is a false positive?
You are also going to have a very significant problem with the amount of alerts that you get with a 24-hour notification requirement, because there is going to be an air of caution, particularly with new legislation. Everybody and his brother is going to be saying, “We think we’ve got a problem.” Alternatively, if they do not, then you have a different issue.
The Chair
If there are no further questions, I thank our witness for his evidence. I will suspend the Committee for a few minutes because our next witnesses, who will give evidence online, are not ready yet.
Dr Spencer
Q
Carla, from the Palo Alto Networks perspective, what are your views on the changes to the incident reporting regime under the Bill? Will the approach help or hinder regulators in identifying and responding to the most serious threats quickly?
Chris Parker: I should point out that Carla is also co-chair of the cyber resilience committee, so you have both co-chairs here today.
As large cyber companies, we are very proud of one thing that is pertinent to the sector that may not be clear to everybody outside. I have worked in many sectors, and this is the most collaborative—most of it unseen—and sharing sector in the world. It has to be, because cyber does not respect borders. When we go to the most vulnerable organisations, which one would expect cannot afford things and therefore there must be a function of price, such as SMEs—I was an SME owner in a previous life—that is very dear to us. With the technology that is available, what is really good news is that when people buy cyber-security for their small business—in the UK or anywhere in the world—they are actually buying the same technology; it is effectively just a different engine size in most cases. There are different phases of technology. There is the latest stuff that is coming in, which they may not be getting into yet. However, the first thing to say is that it is a very fair system, and pricing-wise, it is a very fair system indeed for SMEs.
The second point is about making sure we are aware of the amount of free training going on across the world, and most of the vendors—the manufacturers—do that. Fortinet has a huge system of free training available for all people. What does that give? It is not just technical training for cyber-security staff; it is for ordinary people, including administrative workers and the people who are sometimes the ones who let the bad actor in. There are a lot of efforts. There is a human factor, as well as technological and commercial factors.
The other thing I would like to mention is that the cyber resilience committee, which Carla and I are lucky to co-chair, is elected. We have elected quite a large proportion of SME members. There is also a separate committee run by techUK. You heard from Stuart McKean earlier today, and he is one of the co-chairs, or the vice chair, of that committee.
Carla Baker: On incident reporting, as I am sure you are aware, the Bill states that organisations must report an incident if it is
“likely to have an impact”.
Our view, and I think that of techUK, is that the definition is far too broad. Anything that is likely to cause an impact could be a phishing email that an organisation has received. Organisations receive lots and lots of spoof emails.
I will give an example. Palo Alto Networks is one of the largest pure-play cyber-security companies. Our security operations centre—the hub of our organisation—processes something like 90 billion alerts a day. That is just our organisation. Through analysis and automation, the number is whittled down to just over 20,000. Then, through technology and capabilities, it is further whittled down, so that we are analysing about 75 alerts.
You can equate it to a car, for example. If you are driving and see a flashing yellow light, something is wrong. That is like 20,000 alerts. It is then whittled down to about 75, so we would potentially have to report up to 75 incidents per day, and that is just one organisation. There are a lot more. The burden on the regulator would be massive because there would be a lot of noise. It would struggle to ascertain what is the real problem—the high-risk incidents that impact the UK as a whole—and the noise would get in the way of that.
We have come up with a suggestion, an amendment to the legislation, that would involve a more tiered approach. There would be a more measurable and proportionate reporting threshold, with three tiers. The first is an incident that causes material service disruption, affecting a core service, a critical customer or a significant portion of users. The second is unauthorised, persistent access to a system. The third is an incident that has compromised core security controls—that is, security systems. Having a threshold that is measurable and proportionate is easier for organisations to understand than referring to an incident that is
“likely to have an impact”,
because, as I said, a phishing email is likely to cause an impact if an organisation does not have the right security measures in place.
David Chadwick
Q
Chris Parker: That is an excellent question. The good news is that a lot is happening already. An enormous amount of collaborative effort is going on at the moment. We must also give grace to the fact that it is a very new sector and a new problem, so everybody is going at it. That leads me on to the fact that the UK has a critical role in this, but it is a global problem, and therefore the amount of international collaboration is significant—not only from law enforcement and cyber-security agencies, but from businesses. Of course, our footprints, as big businesses, mean that we are always collaborating and talking to our teams around the world.
In terms of what the UK can do more of, a lot of the things that have to change are a function of two words: culture and harmonisation—harmonisation of standards. It is about trying not to be too concerned about getting everything absolutely right scientifically, which is quite tempting, but to make sure we can harmonise examples of international cyber-standards. It is about going after some commonality and those sorts of things.
I think the UK could have a unique role in driving that, as we have done with other organisations based out of London, such as the International Maritime Organisation for shipping standards. That is an aspiration, but we should all drive towards it. I think it is something the UK could definitely do because of our unique position in looking at multiple jurisdictions. We also have our own responsibilities, not only with the Commonwealth but with other bodies that we are part of, such as the United Nations.
It is not all good news. The challenge is that, as much as we know that harmonisation is okay, unfortunately everyone is moving. Things have started, and everyone is running hot. An important point to make is that it is one of the busiest sectors in the world right now, and everybody is very busy. This comes back to the UK having a particular eye on regulatory load, versus the important part that other elements of our society want, which is growth and economic prosperity. We talked earlier about SMEs. They do not have the capability to cover compliance and regulatory load easily, and we would probably all accept that. We have to be careful when talking about things such as designating critical suppliers.
All of this wraps up into increasing collaboration through public-private partnerships and building trust, so that when the Government and hard-working civil servants want to see which boundaries are right to push and which are not, bodies such as the UK cyber resilience committee, which Carla and I are on, can use those collaborative examples as much as possible.
There is quite a lot there, but something the UK certainly should be pushing to do is culture change, which we know has to be part of it—things have been talked about today by various speakers—as well as the harmonisation of standards.
Carla Baker: I think we are in a really interesting and exciting part of policy development: we have the Bill, and we have recently had the Government cyber action plan, which you may have heard about; and the national cyber action plan is coming in a few months’ time. The Government cyber action plan is internally facing, looking at what the Government need to do to address their resilience. The national cyber action plan is wider and looks at what the UK must do. We are at a really exciting point, with lots of focus and attention on cyber-security.
To address your point, I think there are three overarching things that we should be looking at. First is incentivising organisations, which is part of the Bill and will hopefully be a big part of the national cyber action plan. We must incentivise organisations to do more around cyber-security to improve their security posture. We heard from previous panellists about the threats that are arising, so organisations have to take a step forward.
Secondly, I think the Government should use their purchasing power and their position to start supporting organisations that are doing the right thing and are championing good cyber-security. There is more that the Government can do there. They could use procurement processes to mandate certain security requirements. We know that Cyber Essentials is nearly always on procurement tenders and all those types of things, but more can be done here to embed the need for enhanced security requirements.
Thirdly, I think a previous witness talked about information sharing. There is a bit of a void at the moment around information sharing. The cyber security information sharing partnership was set up, I think, 10 years ago—
Chris Parker: Yes, 10 years ago.
Carla Baker: It was disbanded a couple of months ago, and that has left a massive void. How does industry share intelligence and information about the threats they are seeing? Likewise, how can they receive information about the threat landscape? We have sector-specific things, but there isn’t a global pool, and there is a slight void at the moment.
David Chadwick
Q
Chris Parker: It is a national problem. We have had a lot of discussion on that at the techUK cyber resilience committee. We think it is not just about skills and bunging lots of training at people, because you have to work out cyber as a whole. A very small component of cyber is people at the wonderfully high-tech end, where they are coding and writing software. There are an awful lot of jobs in places out there that a lot of people are just not aware of, and perhaps would therefore not be volunteering or aiming towards it—even at their school. There are lots of jobs in cyber sales, marketing and analysis that do not require a very high level of mathematics, for example. Some of them do not need a very high level of mathematics at all. I think that some awareness needs to be built there.
Personally, I would like to see more championing of the people who are in the sector at the moment. We have some fantastic young men and women in the sector, but we also need to make sure they are able to have chartered status. It is out there, now that we are starting, but it needs to gather pace, because we need to make sure these people are represented and feel professional, so that it can be reflected.
Another thing to mention is that there is a lot of effort in the cyber growth partnership, which is run through DSIT and techUK. It is initiating an idea where people will be lent from industry into academia, to offer inspiration but also to improve lecture quality and standards, because things move fast and we are running so hot. It is very hard for academia to keep up. There is quite a lot that can be done to increase the workforce and skills, but going back to our original points, with greater public-private collaboration and discussion, we will get it absolutely right on focusing on the right places to spend resources.
Dr Spencer
Q
Carla Baker: I think that is part of the issue about not having clear criteria about how regulators will designate. That also means that different regulators will take different approaches, so we would welcome more clarity and early consultation around the criteria that will be used for the regulators to designate a critical dependency, which prevents having different regulatory approaches across the 12 different regulators, which we obviously do not want, and gives greater harmonisation and greater clarity for organisations to know, “Okay, I might be brought in, because those are the clear criteria the Government will be using.”
David Chadwick
Q
Chris Parker: The consultation has been a best effort and I think it is a best effort as a function of three things. First, we have a new sector, a new Bill—something very new, it is not repeating something. Secondly, we are doing something at pace, it is a moving target, we have to get on with this, and so there is some compulsion involved. Thirdly, there are already some collaborative areas set up, such as techUK, that have been used. Would I personally have liked to have seen more? Yes—but I am realistic about how much time is needed; when you only have a certain resource, some people have got to do some writing and crafting as well as discussing.
One thing that we could look at, if we did the process again, would be more modelling, exercising and testing the Bill until it shakes a bit more—that is something that perhaps we could do, if we were to do this again. With the Telecommunications (Security) Act 2021, that was done at length and collaboratively with industry, on a nearly fortnightly basis, for some time. Beyond that, I think that we are realistic in industry because we understand the pressures on the people trying to bring legislation in. A second point to remember is that we are all volunteers. Carla and I, and all those on the Cyber Resilience Committee, volunteer away from our day jobs—which are busy—to do all this. There is a realistic expectation, if you like—but I would say there has been a best effort.
Carla Baker: I would like to look to the future. We have all the secondary legislation that is coming—and there will be lot—so we recommend early insights, and time to review and consult, in order to provide that industry insight that we are happy to provide. Let us look to the secondary legislation and hope that there is good consultation there.
The Chair
If there are no further questions from Members, I will thank the witnesses for their evidence. We will now move on to our final panel.
Examination of Witness
Kanishka Narayan MP gave evidence.
David Chadwick
Q
Kanishka Narayan: As I mentioned at the outset, the scope of the sectors is focused on a specific test: are they essential services, the disruption to which could cause an immediate threat to life or have an extremely significant impact on the day-to-day functioning of the country? I do not mean to diminish the significance of electoral services, but, notwithstanding their significant impact on me as a candidate on election day, the test does not appear to be met.
David Chadwick
Q
Kanishka Narayan: It is absolutely critical that boards take their responsibilities to the organisation and the consequences of being in a regulated sector very seriously. The scope of the Bill has been mentioned. The Secretary of State wrote to FTSE 350 businesses, as well as a range of small businesses, to make that point very clear. The cyber assessment framework has particular requirements for boards to take their cyber-security responsibilities seriously. In the course of implementing the Bill and in the secondary legislation process, we will look to ensure that specified security and resilience activities, including the possibility of specific responsibilities, are set out very clearly.